DEN-5843: Standardize Dependabot configuration

[Copilot]

Proposed change

Standardizes Dependabot configuration per DEN-5843 guidelines. Implements daily schedule at 08:30 Berlin time, patch+minor grouping, and cooldown periods (21d major, 7d minor, 3d patch) to reduce update fatigue. Adds auto-approve on PR open and daily weekday auto-merge workflows.

Changes:

• .github/dependabot.yml: Added to both uv and npm ecosystems:
  • open-pull-requests-limit: 5
  • Daily schedule with Berlin timezone
  • patch-and-minor grouping
  • Cooldown with *getyourguide* exclusions
• .github/workflows/dependabot-approve.yml: Auto-approves Dependabot PRs on open/synchronize
• .github/workflows/dependabot-automerge.yml: Merges approved PRs weekdays at 09:00 via cron

Implementation Reasoning:
Standardizing Dependabot configuration across DEN repositories to ensure consistent dependency update practices. Daily schedule at 08:30 Berlin time aligns with team working hours. Patch and minor updates are grouped to reduce PR noise. Cooldown periods prevent update fatigue (21 days for major, 7 for minor, 3 for patch). Auto-approve and auto-merge workflows automate the review process for low-risk dependency updates, freeing up developer time.

Reference: getyourguide/schema-catalog-mcp

How to test the change

No local testing required. Workflows will trigger on next Dependabot PR. Verify:

• Dependabot runs at scheduled time
• PRs auto-approve on creation
• Auto-merge runs weekdays at 09:00

Checklist

• Tests have been added to verify that the new code works (if possible)
• Documentation has been updated to reflect changes
• CHANGELOG.md has been updated to reflect changes

Original prompt

Requested by: fabio.ueno@getyourguide.com

Branch naming: Please prefix your branch with DEN-5843-standardize-dependabot

Jira Ticket: DEN-5843

Context:
Standardize Dependabot configuration across DEN repositories with daily schedule, patch+minor grouping, cooldown periods, auto-approve on PR open, and daily weekday auto-merge. Reference: getyourguide/schema-catalog-mcp.

Work Needed:

1. Update .github/dependabot.yml (MERGE, do not replace):

   • For EVERY existing package-ecosystem entry, add/update these properties (preserve all existing directory, ignore, allow, registries, labels, reviewers, assignees, target-branch):

     open-pull-requests-limit: 5
     schedule:
       interval: daily
       time: "08:30"
       timezone: Europe/Berlin
     groups:
       patch-and-minor:
         update-types:
           - patch
           - minor

   • For github-actions ecosystem, add:

     cooldown:
       default-days: 7
       exclude:
         - getyourguide/*

   • For all other ecosystems (gomod, npm, pip, docker, gradle, maven, cargo, composer, bundler, etc.), add:

     cooldown:
       semver-major-days: 21
       semver-minor-days: 7
       semver-patch-days: 3
       default-days: 7
       exclude:
         - '*getyourguide*'

2. Create/replace .github/workflows/dependabot-approve.yml:

   name: Dependabot Approve
   
   on:
     pull_request:
       types: [opened, synchronize]
   
   concurrency:
     group: ${{ github.workflow }}${{ github.ref_name != github.event.repository.default_branch && github.ref || github.run_id }}
     cancel-in-progress: ${{ github.ref_name != github.event.repository.default_branch }}
   
   permissions:
     contents: read
     pull-requests: write
   
   jobs:
     auto-approve:
       name: Approve PR
       uses: getyourguide/actions/.github/workflows/dependabot-approve.yml@main
       with:
         pr-url: ${{ github.event.pull_request.html_url }}

3. Create/replace .github/workflows/dependabot-automerge.yml:

   name: Dependabot Auto Merge
   
   on:
     workflow_dispatch:
     schedule:
       - cron: "0 9 * * 1-5"
   
   concurrency:
     group: ${{ github.workflow }}${{ github.ref_name != github.event.repository.default_branch && github.ref || github.run_id }}
     cancel-in-progress: ${{ github.ref_name != github.event.repository.default_branch }}
   
   permissions:
     pull-requests: write
     id-token: write
   
   jobs:
     auto-merge:
       name: Auto merge
       uses: getyourguide/actions/.github/workflows/dependabot-merge.yml@main
       secrets: inherit
       with:
         slack_ping_support: true

4. Cleanup: Delete any existing workflows with different names serving the same purpose (e.g., auto-approve-dependabot.yml, dependabot-auto-approve.yml, auto-merge-dependabot.yml).

Implementation Reasoning:
Standardizing Dependabot configuration across DEN repositories to ensure consistent dependency update practices. Daily schedule at 08:30 Berlin time aligns with team working hours. Patch and minor updates are grouped to reduce PR noise. Cooldown periods prevent update fatigue (21 days for major, 7 for minor, 3 for patch). Auto-approve and auto-merge workflows automate the review process for low-risk dependency updates, freeing up developer time.

Note: Include the "Implementation Reasoning" section above in your PR description on GitHub.

Acceptance Criteria:

• dependabot.yml updated with new schedule, grouping, and cooldown rules for all existing ecosystems
• Both workflow files created/replaced with standardized versions
• Old workflow files with different names removed
• No existing ecosystem entries, directory paths, or custom settings lost
• YAML is valid and conforms to Dependabot v2 schema

Commit message: chore: standardize dependabot configuration
PR description: Standardizes Dependabot config (schedule, grouping, cooldown, auto-approve, auto-merge) per DEN guidelines. Reference: getyourguide/schema-catalog-mcp.

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.